Your Data's Gone, But That Doesn't Necessarily Mean Fraud Will Follow

Less than 3% of all stolen data actually ends up being used to commit fraud, according to industry experts.

While fear of stolen customer data and identity fraud leave many IT and security executives tossing and turning at night, experts point out that data theft, while a very real concern, infrequently leads to identity theft and fraud.

While the theft of millions of cardholder records is indeed a problem, several security professionals throughout Visa's security summit pointed out that a small fraction of those cardholder records will actually be used to commit fraud. "Less than 3% of all stolen data actually ends up being used to commit fraud," says Bryan Sartin, VP of investigative response for security service provider Cybertrust.

It's a distinction that few consumers make. Javelin Strategy & Research Thursday released findings from a study indicating a strong relationship between a consumer's perception of a retailer's reputation for safeguarding card account data and the consumer's willingness to shop there. Based on the Javelin study, which surveyed 1,200 credit or debit cardholders in February, consumers believe retailers share an equal responsibility with banks, credit card companies, processors, and cardholders themselves for protecting their credit and debit card account information.

Retailers are perceived to be the weakest link in this chain, according to 63% of respondents. Even worse, whether or not the retailer is responsible for a data breach, 49% of respondents would judge the retailer as the most likely source of the compromise.

Yet identity fraud is leveling off. In fact, the total amount of fraud is on the decline in the United States, down over the past year from $55.7 billion to $49.3 billion. The average identity theft victim within the past year paid $587 out of pocket when a thief targeted an existing financial account or payment card. When a thief used the stolen identity information to open new accounts, the victim was set back $617 on average.

How a company responds to data theft is often more telling than the data theft itself. There are different sides--law enforcement, corporate legal counsel, company executives, and customers--who want data theft to be revealed publicly more or less quickly, depending on what's at stake for them, according to James Lee, senior VP and chief public and consumer affairs officer for ChoicePoint, the company most associated with data theft and loss in recent years. "Err on the side of the consumer, even though they aren't the only stakeholders," Lee said Thursday at Visa USA's security summit in Washington, D.C. ChoicePoint is a provider of information services, marketing, risk management, pre-employment screening, and background checks.

Regardless of how quickly you respond, "you are going to be sued," Lee quipped, adding, "You are going to meet many new and interesting friends who work for government agencies with three letters." The way to survive investigations subsequent to a breach is to provide as much information as possible.

In fact, Lee said the courts dismissed a number of consumer complaints against ChoicePoint in part because of the company's efforts to communicate the public.

"Tell people how you fixed it and then look for other problems before they happen," he said. "Embrace the horror and talk to your critics. Be patient, it's a long road from scoundrel to elder statesman, and one that takes years."

As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.